What We Know So Far About Meltdown and Spectre, the Devastating Vulnerabilities in Modern CPUs

This week, news of massive security vulnerabilities afflicting every modern model of Intel processor went public, even as developers for practically every major platform frantically rushed to roll out fixes. Much more information has now become available about Meltdown and Spectre, a group of attack methods malicious parties could use to break into some of the most sensitive inner workings of any device using the affected CPUs.

Here’s what we know so far.

What’s the problem?

In 2017, Google’s Project Zero team in collaboration with researchers at a number of different universities identified an absolutely massive problem with speculative execution, one of the techniques employed in modern microprocessors as a way of improving performance.

Essentially, when a processor uses speculative execution, instead of performing tasks strictly sequentially, it predicts which calculations it might need to do subsequently. It then solves them in advance and in parallel fashion. The result is that the CPU wastes some cycles performing unnecessary calculations, but performs chains of commands much faster than if it waited to process them one after the other.

However, there’s a serious flaw in the way modern processors are hardcoded to use speculative execution—they don’t check permissions correctly and leak information about speculative commands that don’t end up being run. Whoops.

As a result, user programs can possibly steal glimpses at protected parts of the kernel memory. That’s memory dedicated to the most essential core components of an operating system and their interactions with system hardware, and it’s supposed to be isolated from user processes at all times to prevent such glimpses from happening. Everything from passwords to stored files could be compromised as a result.

According to a release by the Graz University of Technology, the researchers have identified three potential attack methods, Meltdown and two closely-related vulnerabilities collectively named Spectre:

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

As ZDNet wrote, a worst-case scenario is that a low-level user could run JavaScript code hosted on a webpage and gain access to kernel memory. As TechCrunch noted, another worst-case scenario is users on cloud services that share hardware resources being able to peek on other clients’ operations.

There’s no way to truly fix Meltdown or Spectre on the hardware level. It can’t be fixed with a microcode update.

But researchers can rewrite OSes and other platforms to work around the error by severing kernel memory entirely from user processes with a method called Kernel Page Table Isolation—though as the Register noted, the cost might be processors working up to five to 30 percent slower depending on the model and task. Cloud-based services like Amazon and Google servers are likely to be the hardest hit, while it’s possible the impact on home users could be negligible. Meltdown is more easily patched than Spectre, which security researcher Daniel Gruss told ZDNet is “going to haunt us for years.”

Intel CEO Brian Krzanich told CNBC that Google alerted them of the flaw some time ago, but it leaked ahead of time because “Somebody was doing some updates on a Linux kernel and they improperly posted that this was due to this flaw.”

Who’s impacted?

Since this is a hardware bug, everything running on affected processors is vulnerable including every major OS (Windows, Linux, and macOS), some mobile devices, and cloud computing providers.

Originally, the Register reported, only Intel processors (which dominate the U.S. market) were believed to be subject to the flaw. But it’s become clear that a wide range of processor types could be affected, with Google writing that AMD, ARM, and other devices were also vulnerable—though only partially and with less performance impact following a fix than Intel-based devices.

In a statement to Gizmodo, AMD said that of the three attack variants, one was easily resolved with “negligible performance impact,” while the others have “near zero risk” or “zero risk” due to “architecture differences.”

ARM told Gizmodo that it has been working “together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This is not an architectural flaw; this method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory.”

Qualcomm did not immediately respond to a request for comment.

On the mobile side, Apple said it has released patches for Meltdown vulnerabilities in iOS 11.2, although patches for Safari on both macOS and iOS were still forthcoming as of Thursday. Apple said that watchOS is not affected. According to ZDNet, many Android devices are likely impacted but “given the failure or tardiness of many Android vendors to update their devices with security updates, many on the mobile operating system are likely to remain vulnerable until a new phone is purchased.”

What are companies doing about it?

Companies are rushing to patch platforms. Per Axios, Microsoft has already patched Windows 10 and will release patches for Windows 7 and 8, Amazon Elastic Compute Cloud is already mostly secured, AMD is still investigating, and ARM is still working on how to address the issue. Apple did not respond to Axios’ request for comment, though security researcher Alex Ionescu tweeted it already released an initial fix for its desktop-based macOS in December 2017’s 10.13.2. (Apple has since confirmed that the 10.13.2 update addressed Meltdown vulnerabilities, although the company said it is continuing to investigate the issue.)

“We’ve found no instances of anybody actually executing this exploit,” Krzanich told CNBC. “… I mean, it’s very hard—we can’t go out and check every system out there. But when you take a look at the difficulty it is to actually go and execute this exploit—you have to get access to the systems, and then access to the memory and operating system—we’re fairly confident, given the checks we’ve done, that we haven’t been able to identify an exploit yet.”

Update, 7:51pm: Apple has confirmed that its macOS 10.13.2 and iOS 11.2 updates mitigate Meltdown vulnerabilities. However, as of Thursday night, updates to address possible Spectre exploits affecting Safari for macOS and iOS will arrive “in the coming days.”